Security
The OWASP ModSecurity Core Rule Set 3.0
A defensive approach to web-application security generally relies on an onion architecture, with multiple layers of defense. One of those layers is often a web-application firewall (WAF), such as a WAF created using ModSecurity. As we saw in last week's article, though, writing ModSecurity rules for a web application can be an overwhelming task. For that reason, many turn to the OWASP ModSecurity Core Rule Set, or CRS for short; that project has just released CRS 3.0 with many improvements—notably for false-positive elimination.
Some background
The CRS is a set of generic blacklisting rules. Ofer Shezaf started the project almost exactly ten years ago by pulling in regular expressions from various other defense projects and writing new rules of his own. Later, Ryan Barnett took over and introduced the CRS scoring mechanism, where individual rules no longer block requests directly but, instead, raise an anomaly score. When all the rules have been executed, a user-defined threshold is applied and the request is blocked if it exceeds the value.
Barnett also steered the project into the arms of the Open Web Application Security Project (OWASP), where it is supported as a flagship project. It has become the most widespread WAF rule set on the internet. Last winter, Chaim Sanders took over and revived the project which had slowed down a bit.
The CRS is a set of about 200 rules that try to detect attacks against web applications in a generic way. It does not know about individual exploits, but it knows the typical building blocks that are often used to construct attacks, such as those described by the OWASP Top Ten project.
One example might be hex-encoded payloads. Various SQL servers are known to decode and execute hex-encoded queries. Hex-encoded payloads are thus a good entry point for SQL injection attacks. That is why the CRS has a rule that detects a hex-encoded payload and flags it as a potential attack.
This is clearly a heuristic approach. Of course, not all hex-encoded payloads are an attack and sometimes you cannot even be sure something is really hex-encoded or just looks that way. So, in real life, there is always the chance of a false alarm: a false positive of the detection mechanism.
A typical example in this regard is session cookies: web applications use cookies to identify users by assigning their browser session a random string as a token. The browser will then submit this identification string with every request and the application server is able to link the request to a session. Many applications generate random session identifiers in a way that does not raise suspicion (e.g. simple hex strings without any "0x"). But there are applications that use the full alphabet and the numbers 0-9 for session identifiers. So there is some chance that the token string will contain "0x" followed by some hexadecimal numbers. The rule watching out for hex-encoded payloads will score a hit now and potentially block the user.
And that was exactly how this would play out in all CRS releases in the 2.x series. ModSecurity would alert on every request of the session with messages pointing to rule 981260 "SQL Hex Encoding Identified" (rule). It does not take much imagination to see that false positives are a major roadblock for WAF deployments and especially ModSecurity CRS deployments. However, with the new CRS 3.0 release, this is largely not the case.
New features of the 3.0 release
For the Core Rule Set 3.0 release, Sanders made the fight against false positives a priority. This was really needed, as false positives like the notorious "SQL Hex Encoding Identified"—or its partners in crime 981172 "Restricted SQL Character Anomaly Detection Alert: Cookies" (rule) and 981173 "Restricted SQL Character Anomaly Detection Alert: Request Parameters" (rule)—buried many system administrators under an avalanche of reports. False positives combined with a lack of documentation and guidance on how to fight them effectively would often lead to frustration and a full stop to the ModSecurity adventure. Or the WAF was put in detection-only mode with nobody looking at the alerts anymore. With the release of CRS 3.0, over 95% of false positives in the default install are gone. How was this achieved?
First, the rule set was consolidated for the CRS 3.0 release. This process began when Barnett was still running the project. The rules were categorized and only those that contributed substantially to the detection rate made the cut. Second, a wide group of SQL-injection and cross-site scripting (XSS) rules was abandoned in favor of Nick Galbreath's libinjection library, which does a far better job than the previous heuristics.
This year, the project closed existing holes in its detection capabilities. Walter Hop extended the rules fighting remote command execution (RCE) substantially and introduced a small group of highly efficient rules to detect PHP injection attempts. This is a delicate area as the most widespread content management systems (CMS) are written in PHP and their installations regularly fall victim to all sorts of attacks.
Of course, a CMS protected by the CRS used to cause many false positives, so the new rules had to be diligent in avoiding them. On top of this, the new release comes with a set of optional rule exclusions for the core installations of WordPress and Drupal. These are optional configuration files that tune the rules to avoid false positives for these applications. This means it switches off certain rules for certain requests or parameters where it is known that ModSecurity would trigger an alert.
Disabling individual rules in this way is always a compromise. The idea is to keep the disruption of the rule set to a minimum and, by reducing the false positives in such a way, allow people to actually run ModSecurity for WordPress and Drupal. Formerly, installations of CRS 2.x were usually disabled rather quickly unless the system administrator invested a lot of time and effort into the badly documented tuning process. The CRS 3.0 release also updates the documentation with a series of tutorials hosted at netnea, guiding users through the ModSecurity installation, the inclusion of the Core Rule Set, and handling the remaining false positives. Combine this with the second edition of the ModSecurity Handbook that has been released as a preview and you can see that the documentation situation has improved a great deal.
The default CRS 3.0 install is generally meant to be mostly void of false positives and it has detection capabilities at least on par with the CRS 2.x release line. Once the anomaly scoring threshold has been reduced to the minimum, if a higher security level is desired, more rules that are disabled by default can be enabled. This is called "Paranoia Mode". It is configured via the Paranoia Level (PL) configuration item.
Paranoia Level, which defaults to one, controls the selection of rules applied to a request. At PL1, you get about 150 rules known to have a high detection ability and that are unlikely to provoke false positives. Raise that to PL2 and you get an additional set of 30 rules that are a bit more aggressive—a bit more paranoid, so to speak. They cover more attacks, effectively raising the security level, but the system will likely receive a few false alarms in return, so the security comes at a price. The standard procedure is to look at these false positives and write rule exclusions.
Go to PL3 to get another 15 rules and now quite a few false positives with them. At PL3, one will become quite proficient at handling false positives. Finally, raising to PL4 reaches the maximum level of paranoia. Here, half a dozen additional rules go crazy with anything that does not look totally innocent.
For example, PL4 defines a small range of byte values it accepts in a request body. Every file upload and most special characters outside of letters and numbers will provoke an alert in an extremely paranoid way. If you write the necessary rule exclusions, you end up with an efficient way of protecting your application, with special characters limited to the places where they are really mandatory for the online application.
The definition of the byte range is also present in PL1, PL2, and PL3, but it is much more lax. With every new PL, new rules are applied that restrict the character set more and more. Think of it as a relaxed base rule and a set of stricter siblings.
The Paranoia Levels are meant to be mapped to the security level of a site. A private blog does not have same resources to put into security that a site processing credit card data does. The project envisions a future where security officers and auditors regularly assign CRS Paranoia Levels to online services: "This is a PL3 service. Please reserve time in the project for the handling of false positives."
False positives are not the only obstacle on the road to a tight CRS setup. Often, system administrators are afraid of the performance impact. This is a serious concern. There is typically a performance loss of a few percentage points when introducing ModSecurity with the CRS. The exact value is hard to know in advance and depends on the situation.
The new Sampling Mode allows enabling the CRS for a limited percentage of requests in order to get a feeling for it. That makes it possible to observe the behavior and performance of an installation on a controllable number of requests. With growing confidence and possible performance problems weeded out, the sampling percentage can slowly be raised until 100%, which is the default value.
![[CRS poster]](https://static.lwn.net/images/2016/CRS3-poster.jpg "CRS poster")
Overall, the kinds of attacks that the CRS targets are the major problem areas for web applications today, which is unsurprising. SQL injection, cross-site scripting, PHP code injection, and shell command injection are the types of attacks where the CRS has the strongest protections. Within the many rules, however, there are also rules covering protocol violations and alerting on back-end error messages reaching attackers.
With these new features and the false-positive problem solved to a large extent, the Core Rule Set is now ready for prime time. The times where only ModSecurity experts succeeded with their setups are gone. Well-tested beginner-level documentation, in the form of the tutorials mentioned above, and professional courses are available. So the project believes that the rule set is ready for wide adoption. This CRS 3.0 release is thus aimed at mainstream installations. The project has highlighted this with a release poster (seen at right) aimed at mainstream adoption.
Plans for the future
The mainstreaming of the CRS will also allow the project to bring new people into the community to help with the plans it has for the future. The developers want to reduce the remaining false negatives by using new detection methods. The project also wants to follow the development of new exploits and bypasses more attentively so that holes can be closed more quickly.
CRS 3.0 demonstrates that a predefined set of rule exclusions allows for a simple installation for WordPress and Drupal core. The project hopes to join forces with developers and security teams to expand this to the standard plugins for these systems and for a wider set of standard online applications that would be supported with optional rule exclusion files in future CRS releases.
The CRS documentation has improved a great deal. But the project won't stop until every rule is documented individually with an explanation of the mechanism, as well as examples of payloads triggering the rule, and unit tests safeguarding against errors in future pull requests. Eventually, the CRS project sees the rule set rolled out as the first line of defense against web-application attacks in the same way that hosting providers are now installing free TLS certificates from Let's Encrypt by default: simple, smooth, and with no nasty side effects, but a big improvement in terms of security.
Brief items
Security quotes of the week
And nobody really cares.
Sure, there is some noise about all this, but in a week or two nobody will even remember. There has been a similar story to this about every month all year long. Can you even remember any of them? The stock market doesn't, basically everyone who has ever had a crazy breach hasn't seen a long term problem with their stock. Sure there will be a blip where everyone panics for a few days, then things go back to normal.
O'Cearbhaill: Reliably compromising Ubuntu desktops by attacking the crash reporter
Donncha O'Cearbhaill has discovered that Ubuntu's "apport" tool, which handles application crash data, passes arbitrary data to the Python eval() function. There are a couple of other vulnerabilities as well, making it possible to fully compromise a system. The bugs (now known as CVE-2016-9949, CVE-2016-9950, and CVE-2016-9951) have been fixed; applying the updates is highly recommended for Ubuntu users. "The computer security industry has a serious conflict of interest right now. There is major financial motivation for researchers to find and disclose vulnerability to exploit brokers. Many of the brokers are in the business of keeping problems unfixed. Code execution bugs are valuable. As a data point, I received an offer of more than 10,000 USD from an exploit vendor for these Apport bugs."
Project Wycheproof
Google has announced the release of a set of security tests that check cryptographic software libraries for known weaknesses, called Project Wycheproof. "Our first set of tests are written in Java, because Java has a common cryptographic interface. This allowed us to test multiple providers with a single test suite. While this interface is somewhat low level, and should not be used directly, we still apply a "defense in depth" argument and expect that the implementations are as robust as possible. For example, we consider weak default values to be a significant security flaw. We are converting as many tests into sets of test vectors to simplify porting the tests to other languages."
A security update from the Freenode infrastructure team
A freenode volunteer identified a suspected compromise of their e-mail accounts, which could have provided an unauthorized user with limited access to some data sent through internal e-mail systems. "Naturally, we instigated audit procedures immediately so as to ensure the security of the production network and accompanying infrastructure. The investigation is ongoing, but at this time we have no reason to believe that any other unauthorised access was gained. Nevertheless, in the interests of transparency and security for our users, we wish to notify anyone who may have been affected." It is recommended that you change your Freenode password as a precaution. (Thanks to Paul Wise)
New vulnerabilities
apport: three vulnerabilities
| Package(s): | apport | CVE #(s): | CVE-2016-9949 CVE-2016-9950 CVE-2016-9951 | ||||
| Created: | December 15, 2016 | Updated: | December 21, 2016 | ||||
| Description: | From the Ubuntu advisory:
Donncha O Cearbhaill discovered that the crash file parser in Apport improperly treated the CrashDB field as python code. An attacker could use this to convince a user to open a maliciously crafted crash file and execute arbitrary code with the privileges of that user. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-9949) Donncha O Cearbhaill discovered that Apport did not properly sanitize the Package and SourcePackage fields in crash files before processing package specific hooks. An attacker could use this to convince a user to open a maliciously crafted crash file and execute arbitrary code with the privileges of that user. (CVE-2016-9950) Donncha O Cearbhaill discovered that Apport would offer to restart an application based on the contents of the RespawnCommand or ProcCmdline fields in a crash file. An attacker could use this to convince a user to open a maliciously crafted crash file and execute arbitrary code with the privileges of that user. (CVE-2016-9951) | ||||||
| Alerts: |
| ||||||
ceph: denial of service
| Package(s): | ceph | CVE #(s): | CVE-2016-5009 | ||||
| Created: | December 21, 2016 | Updated: | December 21, 2016 | ||||
| Description: | From the CVE entry:
The handle_command function in mon/Monitor.cc in Ceph allows remote authenticated users to cause a denial of service (segmentation fault and ceph monitor crash) via an (1) empty or (2) crafted prefix. | ||||||
| Alerts: |
| ||||||
dcmtk: buffer overflows/underflows
| Package(s): | dcmtk | CVE #(s): | CVE-2015-8979 | ||||||||
| Created: | December 21, 2016 | Updated: | December 30, 2016 | ||||||||
| Description: | From the Debian LTS advisory:
At several places in the code a wrong length of ACSE data structures received over the network can cause overflows or underflows when processing those data structures. Related checks have been added at various places in order to prevent such (possible) attacks. Thanks to Kevin Basista for the report. The bug will indeed affect all DCMTK-based server applications that accept incoming DICOM network connections that are using the dcmtk-3.6.0 and earlier versions. | ||||||||||
| Alerts: |
| ||||||||||
firefox: denial of service
| Package(s): | firefox | CVE #(s): | |||||||||||||
| Created: | December 16, 2016 | Updated: | December 21, 2016 | ||||||||||||
| Description: | From the Red Hat bugzilla entry:
Dragging around the Google map from http://pskreporter.info/ for a bit, in an X session, eventually causes firefox to crash with a Gdk-ERROR BadAccess | ||||||||||||||
| Alerts: |
| ||||||||||||||
flightgear: file overwrites
| Package(s): | flightgear | CVE #(s): | CVE-2016-9956 | ||||||||||||||||
| Created: | December 21, 2016 | Updated: | January 9, 2017 | ||||||||||||||||
| Description: | From the Debian advisory:
It was discovered that the Flight Gear flight simulator performs insufficient sanitising of Nasal scripts which allows a malicious script to overwrite arbitrary files with the privileges of the user running Flight Gear. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
freeipa: two vulnerabilities
| Package(s): | freeipa | CVE #(s): | CVE-2016-9575 CVE-2016-7030 | ||||||||||||||||||||||||
| Created: | December 20, 2016 | Updated: | January 4, 2017 | ||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
CVE-2016-9575: Due to a missing permission check, certprofile-mod can be used by an authenticated but unprivileged user to modify certificate profile configuration. This could allow the issuance of certificates with fraudulent subject naming information (allowing the holder of the private key to impersonate another entity), or inappropriate key usage or extended key usage information (use of certificate for unauthorised purposes e.g. code signing). Affected versions : 4.2 and above (all versions supporting certificate profiles) CVE-2016-7030: A flaw was found that allows any unauthenticated party to easily run DoS attack against kerberized services in FreeIPA/IdM realm. FreeIPA contains MIT KDC as its main component + FreeIPA is using custom database driver for the KDC. As a side-effect of implementation, FreeIPA is enforcing password policies for all principals, including services which do not use "password" but keytab with randomly-generated/strong key. Default password policy locks an account after 5 unsuccessful authentication attempts for 10 minutes. An attacker can use this to simply lock-out any principal, including system services. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
game-music-emu: multiple vulnerabilities
| Package(s): | game-music-emu | CVE #(s): | CVE-2016-9957 CVE-2016-9958 CVE-2016-9959 CVE-2016-9960 CVE-2016-9961 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2016 | Updated: | February 13, 2017 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian LTS advisory:
Chris Evans found several issues in the emulation code in game-music-emu that could lead to arbitrary code execution. Further information can be found at http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
gstreamer-plugins-good: denial of service
| Package(s): | gstreamer-plugins-good | CVE #(s): | CVE-2016-9807 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 21, 2016 | Updated: | December 22, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
An invalid memory read access flaw was found in GStreamer's FLC/FLI/FLX media file format decoding plug-in. A remote attacker could use this flaw to cause an application using GStreamer to crash. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: out of bounds stack read
| Package(s): | kernel | CVE #(s): | CVE-2016-8399 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2016 | Updated: | December 21, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Due to lack of size checking on ICMP header length, it is possible to cause out-of-bounds read on stack. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: two vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2016-6213 CVE-2016-9313 | ||||||||||||||||||||||||||||||||
| Created: | December 21, 2016 | Updated: | December 21, 2016 | ||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
CAI Qian discovered that shared bind mounts in a mount namespace exponentially added entries without restriction to the Linux kernel's mount table. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6213) It was discovered that the keyring implementation in the Linux kernel improperly handled crypto registration in conjunction with successful key- type registration. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-9313) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
kernel: code execution
| Package(s): | kernel | CVE #(s): | CVE-2016-4568 | ||||||||||||||||
| Created: | December 21, 2016 | Updated: | December 21, 2016 | ||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that the Video For Linux Two (v4l2) implementation in the Linux kernel did not properly handle multiple planes when processing a VIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
libupnp: code execution
| Package(s): | libupnp | CVE #(s): | CVE-2016-8863 | ||||||||||||||||||||
| Created: | December 16, 2016 | Updated: | January 4, 2017 | ||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2016-8863: Scott Tenaglia discovered a heap buffer overflow vulnerability, that can lead to denial of service or remote code execution. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
most: command execution
| Package(s): | most | CVE #(s): | CVE-2016-1253 | ||||
| Created: | December 19, 2016 | Updated: | December 21, 2016 | ||||
| Description: | From the Debian LTS advisory:
The most pager can automatically open files compressed with gzip, bzip2 and (in Debian) LZMA. Alberto Garcia discovered that Debian's version of most was susceptible for a shell injection attack that could be exploited to run arbitrary commands on the user's computer. | ||||||
| Alerts: |
| ||||||
nagios: two vulnerabilities
| Package(s): | nagios | CVE #(s): | CVE-2016-9565 CVE-2016-9566 | ||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2016 | Updated: | February 13, 2017 | ||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796. (CVE-2016-9565) base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565. (CVE-2016-9566) | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openjpeg2: two vulnerabilities
| Package(s): | openjpeg2 | CVE #(s): | CVE-2016-9580 CVE-2016-9581 | ||||||||||||||||||||||||||||||||||||
| Created: | December 20, 2016 | Updated: | January 2, 2017 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
CVE-2016-9580: An integer overflow vulnerability was found in tiftoimage function resulting into heap buffer overflow. CVE-2016-9581: An infinite loop vulnerability in tiftoimage that results into heap buffer overflow in convert_32s_C1P1 was found. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
python-bottle: CRLF attacks
| Package(s): | python-bottle | CVE #(s): | CVE-2016-9964 | ||||||||||||||||||||
| Created: | December 21, 2016 | Updated: | January 30, 2017 | ||||||||||||||||||||
| Description: | From the Debian advisory:
It was discovered that bottle, a WSGI-framework for the Python programming language, did not properly filter "\r\n" sequences when handling redirections. This allowed an attacker to perform CRLF attacks such as HTTP header injection. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
samba: three vulnerabilities
| Package(s): | samba | CVE #(s): | CVE-2016-2123 CVE-2016-2125 CVE-2016-2126 | ||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2016 | Updated: | January 9, 2017 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2016-2123: Trend Micro's Zero Day Initiative and Frederic Besler discovered that the routine ndr_pull_dnsp_name, used to parse data from the Samba Active Directory ldb database, contains an integer overflow flaw, leading to an attacker-controlled memory overwrite. An authenticated user can take advantage of this flaw for remote privilege escalation. CVE-2016-2125: Simo Sorce of Red Hat discovered that the Samba client code always requests a forwardable ticket when using Kerberos authentication. A target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service. CVE-2016-2126: Volker Lendecke discovered several flaws in the Kerberos PAC validation. A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
tomcat: two vulnerabilities
| Package(s): | tomcat | CVE #(s): | CVE-2016-9774 CVE-2016-9775 | ||||||||||||||||||||||||||||
| Created: | December 19, 2016 | Updated: | December 21, 2016 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Multiple security vulnerabilities were discovered in the Tomcat servlet and JSP engine, as well as in its Debian-specific maintainer scripts. Those flaws allowed for privilege escalation, information disclosure, and remote code execution. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
tomcat: denial of service
| Package(s): | tomcat | CVE #(s): | CVE-2016-6817 | ||||||||||||
| Created: | December 15, 2016 | Updated: | December 21, 2016 | ||||||||||||
| Description: | From the Red Hat bugzilla entry:
The HTTP/2 header parser entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible. | ||||||||||||||
| Alerts: |
| ||||||||||||||
tor: denial of service
| Package(s): | tor | CVE #(s): | CVE-2016-1254 | ||||||||||||||||||||||||||||
| Created: | December 20, 2016 | Updated: | January 6, 2017 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
It was discovered that Tor, a connection-based low-latency anonymous communication system, may read one byte past a buffer when parsing hidden service descriptors. This issue may enable a hostile hidden service to crash Tor clients depending on hardening options and malloc implementation. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
xen: information leak
| Package(s): | xen | CVE #(s): | CVE-2016-9932 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 20, 2016 | Updated: | December 22, 2016 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
The x86 instruction CMPXCHG8B is supposed to ignore legacy operand size overrides; it only honors the REX.W override (making it CMPXCHG16B). So, the operand size is always 8 or 16. When support for CMPXCHG16B emulation was added to the instruction emulator, this restriction on the set of possible operand sizes was relied on in some parts of the emulation; but a wrong, fully general, operand size value was used for other parts of the emulation. As a result, if a guest uses a supposedly-ignored operand size prefix, a small amount of hypervisor stack data is leaked to the guests: a 96 bit leak to guests running in 64-bit mode; or, a 32 bit leak to other guests. A malicious unprivileged guest may be able to obtain sensitive information from the host. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
xen: multiple vulnerabilities
| Package(s): | xen | CVE #(s): | CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818 CVE-2016-9921 CVE-2016-9922 CVE-2016-9913 CVE-2016-9914 CVE-2016-9915 CVE-2016-9916 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2016 | Updated: | December 21, 2016 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916: Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to memory leakage issue. It could occur via its '9p-handle' or '9p-proxy' backend drivers as they do not free their respective allocated data objects. A privileged user inside guest could use this flaw to leak host memory, thus affecting other services on the host and/or potentially crash the Qemu process on the host. CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, CVE-2016-9818, xsa201: Depending on how the hardware and firmware have been integrated, guest-triggered asynchronous aborts (SError on ARMv8) may be received by the hypervisor. The current action is to crash the host. A guest might trigger an asynchronous abort when accessing memory mapped hardware in a non-conventional way. Even if device pass-through has not been configured, the hypervisor may give the guest access to memory mapped hardware in order to take advantage of hardware virtualization. CVE-2016-9921, CVE-2016-9922: Quick emulator(Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
zlib: multiple vulnerabilities
| Package(s): | zlib | CVE #(s): | CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 | ||||||||||||||||
| Created: | December 21, 2016 | Updated: | January 23, 2017 | ||||||||||||||||
| Description: | From the openSUSE advisory:
- Avoid out-of-bounds pointer arithmetic in inftrees.c (boo#1003579, CVE-2016-9840, CVE-2016-9841) - Avoid left-shift with negative number (boo#1003580, CVE-2016-9842) - Avoid undefined behaviour in pointer arithmetic on powerpc (boo#1013882, CVE-2016-9843) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>